Main Menu
Network
Sponsor
Top 10 Sites
Partners
|
|
Top Submit newsSubscribe 
Communication | Computer Crime | Digital Audio, Video, Photo | General News | Hardware | Internet | Mobile | PDA | Security | Software | Vulnerability |
Previous articleBack to news listNext article
| Sponsored links | Want to become one of our authors and see your work published on ALLSeek.iNFO ?
| | 3Com OfficeConnect ADSL Wireless 11g Firewall Authentication Flaw May Let Remote Users Hijack Sessions and DHCP Validation Flaw |
|---|
Categorie: Vulnerability
Posted: 2004-10-20 by ReCall
Views: 490
Source: Click here
| Current Rating: Not rated
|
| | Details |
|---|
Description: Several vulnerabilities were reported in the 3Com OfficeConnect ADSL Wireless 11g Firewall (Model 3CRWE754G72-A). A remote user can conduct a cross-site scripting attack against the administrator. A remote user may be also able to hijack an administrative session.
Cyrille Barthelemy reported that the device does not filter HTML code from DHCP requests before displaying the information via the administrative interface. A remote user can send a specially crafted request. Then, when the target administrator reviews the log, arbitrary scripting code will be executed by the target administrator's browser. The code will originate from the device's web interface and will run in the security context of that site. As a result, the code will be able to access the target administrator's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target administrator via web form to the site, or take actions on the site acting as the target administrator.
A demonstration exploit is provided:
dhcping -opttype 'REQUEST' -opthostname '<h1>Oops</h1>' -z
It is also reported that a remote user can connect to the management interface to determine the IP address of any administrator that is currently logged in (if any). Then, the remote user may be able to spoof the IP address and hijack the connection.
It is also reported that a remote authenticated user (or a remote user with the ability to hijack an administrative session as previously described) can access the binary configuration file to obtain the administrator password, WEP key, and WEP passphrase. The configuration file URL is:
http://192.168.0.1/cgi-bin/config.bin
A remote authenticated user (or a remote user that has hijacked the administrative session) can clear the log file. A demonstration exploit command is provided:
w3c -post http://192.168.0.1/cgi-bin/statusprocess.exe -form "securityclear=1"
The vendor was notified on August 24, 2004.
Impact: A remote user can access the target administrator's cookies (including authentication cookies), if any, associated with the site running the vulnerable software, access data recently submitted by the target administrator via web form to the site, or take actions on the site acting as the target administrator.
A remote user may be able to hijack and administrative session, and can then access the administrator's password and the WEP key and passphrase.
Solution: The vendor has issued a fix, available at:
http://www.3com.com/products/en_US/result.jsp?selected=6&sort=effdt&sku=3CRWE754G72-A&order=desc
| | Syndication |
|---|
Permalink Email this
The URI to TrackBack this entry is:
http://allseek.info/news/trackback.php?id=1031
| | User comments (post your comments ) |
|---|
Only registerd members can post comments and articles
|
| Previous articleBack to news listNext article
|
|
|
|
InterJOB.su
|
